The ITPaSWU for the week ending February 9th 2021

Happy ITPaSWU* Tuesday Daml’ers!

Valentine’s Day is coming up and we’ve got gifts for you. Lots of them.

The first is a great story on just how much precise data your phone shares about you with whoever cares to pay. We then move on to a collection of your data that’s so big, they just may know more about you than you know about yourself!

Swiftly we move on to furballs and kitties with a new ethnically targeted campaign that uses tech for all the wrong things. We tell you why it was better to stick with beer than water in the Tampa Bay Area for the Super Bowl last weekend and we finish with probably the most creative Valentine’s present you could ever come up with for your loved one!

It’s all here and it all adds up to the Best *IT Privacy and Security Weekly Update yet, so let’s get rolling!

US: They Stormed the Capitol. Their Apps Tracked Them.

An anonymous source has provided yet another data set, this time following the smartphones of thousands of Trump supporters, rioters and passers-by in Washington, D.C., on January 6, as Donald Trump’s political rally turned into a violent insurrection. At least five people died because of the riot at the Capitol. Key to bringing the mob to justice has been the event’s digital detritus: location data, geotagged photos, facial recognition, surveillance cameras and crowdsourcing.

The January 6th data-set the Times Opinion examined shows how Trump supporters traveled from South Carolina, Florida, Ohio and Kentucky to the nation’s capital, with pings tracing neatly along major highways, in the days before the attack. Stops at gas stations, restaurants and motels dot the route like bread crumbs, each offering corroborating details.

In many cases, these trails lead from the Capitol right back to their homes.

In the hands of law enforcement, this data could be evidence. But at every other moment, the location data is reviewed by hedge funds, financial institutions and marketers, in an attempt to learn more about where we shop and how we live.

Mobile phone data includes a remarkable piece of information: a unique ID for each user that is tied to a smartphone. This made it even easier to find people, since the supposedly anonymous ID could be matched with other databases containing the same ID, allowing us to add real names, addresses, phone numbers, email addresses and other information about smartphone owners in seconds.

The IDs, called mobile advertising identifiers, allow companies to track people across the internet and on apps. They are supposed to be anonymous, and smartphone owners can reset them or disable them entirely. Our findings show the promise of anonymity is a farce. Several companies offer tools to allow anyone with data to match the IDs with other databases.

We were quickly able to match more than 2,000 supposedly anonymous devices in the data set with email addresses, birthdays, ethnicities, ages and more.

One location data company, Cuebiq, publishes a list of customers that may receive the ID with precise smartphone locations. Companies listed there include household names like Adobe and Google, alongside a litany of lesser-known upstarts, like Hivestack, Mogean, Pelmorex and Ubimo.

The location-tracking industry exists because those in power allow it to exist. Plenty of Americans remain oblivious to this collection through no fault of their own. But many others understand what’s happening and allow it anyway.

So what’s the upshot for you? We are starting to understand the precision with which our mobile phones collect and provide data about us.
Further, this article provides terrific insight into the terrifying scope of potential clients to that data.
If you are not comfortable with entities you don’t even know of, having a complete record of every move you make, that’s a good thing, as you will be better prepared for the privacy debates that start to erupt around us in the near future.

CN: China may have Personal Data of 80% of US Adults

According to a report that aired on CBS, the Chinese government may have have a collection of personal data on as much as 80% of the adults in the United States. Former Director of the US National Counterintelligence and Security Center Bill Evanina warned the public that the People’s Republic of China is actively working to gather American DNA and health information. According to Evanina, the Chinese company BGI Group approached six different US states asking to construct and operate Covid-19 testing labs.

The report detailed how China is looking to be a world leader in DNA science and technology, effectively having the ability to turn health care’s future into the next space race. The PRC has also previously released a manifesto describing its quest to obtain and control human biodata.

Recent cyber-security research about the status of data protection in the health sector indicates that there is no real need for any foreign government to use advanced hacking methods to have access to personal health information (PHI) of US citizens.

For example, radiology data of approximately six million US citizens was discovered unprotected in late 2019, with no substantial improvement to that a year later. On top of that, the largest provider who had left its radiology archives connected to the public internet without any protection, is owned by a Chinese investor.

So what’s the upshot for you? We want to highlight more of these stories, as the general public are becoming blasé about data breeches. From your perspective, the more data that is out there, the more there is to lose and eventually that loss will have repercussions.

Global: How much is your info worth on the Dark Web? For Americans, it’s just $8

Personal information from US citizens found on the Dark Web—ranging from Social Security numbers, stolen credit card numbers, hacked PayPal accounts, and more—is worth just $8 on average, according to a new report from tech research firm Comparitech.

Researchers pored through the prices of personal data and information—called “fullz” by those searching for “full credentials”—that are available for sale on nearly 50 different Dark Web marketplaces, finding that Japan, the UAE, and EU countries have the most expensive identities available at an average price of $25, whereas the UK is $14, Australia $15.

So what’s the upshot for you? There’s not much an end user can do about data breaches except:

  • Register fewer accounts and minimize your digital footprint.
  • Keep an eye out for card skimmers at points of sale, particularly unmanned ones such as those at gas stations.
  • Learn how to spot and avoid phishing emails and other messages.
  • Avoid credential stuffing by using strong, unique passwords on all of your accounts.

KP: A Whole Nuclear Program Financed by Cyber Attacks.

U.N. experts monitoring sanctions on the Northeast Asian nation, officially the Democratic People’s Republic of Korea, said in a report sent to Security Council members Monday that North Korea’s “total theft of virtual assets from 2019 to November 2020 is valued at approximately $316.4 million.”

The panel said its investigations found that North Korean-linked cyber actors continued to conduct operations in 2020 against financial institutions and virtual currency exchange houses to generate money to support its weapons of mass destruction and ballistic missile programs.

In its weapons development, the experts said, Kim Jong Un’s government has produced fissile material — an essential ingredient for producing nuclear weapons — and maintained its nuclear facilities.
“It displayed new short-range, medium-range, submarine-launched and intercontinental ballistic missile systems at military parades, it announced preparation for testing and production of new ballistic missile warheads, development of tactical nuclear weapons … and upgraded its ballistic missile infrastructure."

So what’s the upshot for you? You pay the ransom, they build a bomb. One of the biggest wars in the world requires no uniform, gun or special equipment and it can often leverage your online assets.

Global: Cybercriminals Turn Legitimate Tools Against Users

Microsoft Power Automate is the new PowerShell, designed to automate mundane, day-to-day user tasks in both Microsoft 365 and Azure, and it is enabled by default in all Microsoft 365 applications.

This tool can reduce the time and effort it takes to accomplish certain tasks — which is beneficial for both authorized users and potential attackers.

With more than 350 connectors to third-party applications and services available, there are vast attack options for cybercriminals who use Power Automate.

The malicious use of Power Automate recently came to the forefront when Microsoft announced it found advanced threat actors in a large multinational organization that were using the tool to automate the exfiltration of data.

This particular incident had gone on undetected for over 200 days.

So what’s the upshot for you? AWS broke new ground by offering services what were all disabled or turned off by default. Perhaps it really is time for Microsoft to do the same. If you run a Microsoft 365 environment and are not using some of the new service offerings provided, it might be worth running a quick audit and turning them off.

IR: Over 1,200 Iranians Targeted in Domestic Kitten Surveillance Campaign.

The attacks, which Check Point refers to collectively as Domestic Kitten, have been ongoing for roughly four years, orchestrated by a threat actor tracked as APT-C-50, which executes the campaigns on behalf of the Iranian government.
The targets of these attacks, the researchers say, are the Kurdish minority in Iran, opposition forces, internal dissidents, ISIS advocates, and other individuals that the Iranian regime believes could represent a threat.
A total of 10 unique campaigns were observed to date, including 4 that are currently active. The most recent of these campaigns started in November 2020.
Dubbed FurBall and based on commercially available spyware called KidLogger, the malware leveraged in these attacks is capable of collecting information such as device identifiers, SMS messages, call logs, contact lists, user accounts, browsing history, and a list of installed applications.
It can access a device’s microphone and camera to record sound and video, can record calls, steal files (including from external storage), track the device’s location, and delete messages and files.

So what’s the upshot for you? “Furball” and “Domestic Kitten”? This is a creative way to get the public to focus on a news article, but in the case of this ethnically directed cyber campaign, it is merited.
It may be smaller in scope than China’s relentless suppression of the Uighur but is no less invasive.

So what’s the upshot for you? In some wars it appears that the most dangerous thing to carry is the phone in your pocket.

AU: Arrest, Raids Tied to ‘U-Admin’ Phishing Kit

Cyber cops in Ukraine carried out an arrest and several raids last week in connection with the author of a U-Admin, a software package used to administer what’s being called “one of the world’s largest phishing services.” The operation was carried out in coordination with the FBI and authorities in Australia, which was particularly hard hit by phishing scams perpetrated by U-Admin customers.

“According to the analysis of foreign law enforcement agencies, more than 50% of all phishing attacks in 2019 in Australia were carried out thanks to the development of the Ternopil hacker,” the attorney general’s office said, noting that investigators had identified hundreds of U-Admin customers.

Brad Marden, superintendent of cybercrime operations for the Australian Federal Police (AFP), said their investigation into who was behind U-Admin began in late 2018, after Australian citizens began getting deluged with phishing attacks via mobile text messages that leveraged the software.

“It was rampant,” Marden said, noting that the AFP identified the suspect and referred the case to the Ukrainians for prosecution. “At one stage in 2019 we had a couple of hundred SMS phishing campaigns tied to just this particular actor. Pretty much every Australian received a half dozen of these phishing attempts.”

So what’s the upshot for you? It’s amazing to imagine the volume of phishing attacks emanating from this single source. What it does do though, is highlight the value of phishing training and updated education. We might hate it, but it’s worth it if compromising a whole company means that you only need one person to be the entry point.

US: You really don’t want 100 times more lye in your drinking water.

“A plant operator sitting in front of a computer system at about 8 a.m. Friday and noticed that someone briefly accessed it. He didn’t find this unusual”, Pinellas County Sheriff Bob Gualtieri said, because his supervisor regularly accessed the system remotely.

The intruder used a software program, named TeamViewer, to gain remote access to the water plant computer system.

At about 1:30 p.m. the same day, Gualtieri said, “someone accessed the system again. This time the operator watched as someone took control of the mouse, directed it to the software that controls water treatment, worked inside it for three to five minutes and increased the amount of sodium hydroxide from 100 parts per million to 11,100 parts per million.”

Lye is an additive that is used to reduce the acid level in the water supply, when upped by 100x makes the water very corrosive and poisonous.

“The attacker eventually left the system and the operator changed the concentration back to 100 parts per million.”

"The important thing is to put everyone on notice. There’s a bad actor out there.”

So whats the upshot for you? This story left us speechless. Infrastructure is next for the hacking community so maybe it’s time to stock up on bottled water and batteries.

Global: Brute-force RDP connection attempts up over 700% in the last quarter of 2020

The COVID-19 pandemic continued to influence the cybercrime landscape the ESET Security team reports.
Most notably, the new attack surface created by the shift to work from home brought further growth of Remote Desktop Protocol (RDP) attacks, albeit at a slower rate compared to previous quarters. Between Q1 and Q4 2020, ESET telemetry recorded a staggering 768% increase in RDP attack attempts.

“RDP security is not to be underestimated especially due to ransomware, which is commonly deployed through RDP exploits, and, with its increasingly aggressive tactics, poses a great risk to both private and public sectors. As the security of remote work gradually improves, the boom in attacks exploiting RDP is expected to slow down – we already saw some signs of this in Q4.”

So what’s the upshot for you? RDP is most often found on Windows machines, but as we learned in our drinking water story, any accessible remote desktop app or protocol used with a weak username/password combination is/can be a liability. If you don’t use them, uninstall them or turn them off. If you do; use a complex password.

Global: Barcode Scanner app goes Rogue

Malware Bytes writes: "Late last December we started getting a distress call from our forum patrons. Patrons were experiencing ads that were opening via their default browser out of nowhere.
The odd part is none of them had recently installed any apps, and the apps they had installed came from the Google Play store.

Then one patron discovered that it was coming from a long-time installed app, Barcode Scanner… the exact publisher is LavaBird LTD.

The app has had over 10,000,000 installs from Google Play in the 3-4 years it has been available. After an update in December, Barcode Scanner had gone from an innocent scanner to full on malware!

In the case of Barcode Scanner, malicious code had been added that was not in previous versions of the app. Furthermore, the added code used heavy obfuscation to avoid detection. To verify this is from the same app developer, we confirmed it had been signed by the same digital certificate as previous clean versions.
Google has already pulled this app. but if you use a barcode scanner, you may want to check that it’s not the LavaBird version… actually, if it was, you already know."

So what’s the upshot for you? It may be time to do a Marie Kondo on your phone. Clean up the apps you no longer use and perhaps consider refreshing the ones you do.

UK:Mensa Website Hacked After Britain’s Smartest Folk Failed To Secure Passwords

British Mensa, the society for people with high IQs, failed to properly secure the passwords on its website, prompting a hack on its website that has resulted in the theft of members’ personal data.

Eugene Hopkinson, a former director and technology officer at British Mensa, stood down this week, claiming that the organization had failed to secure the data of its 18,000 members properly, according to a report in the Financial Times.

Hopkinson claimed that the stored passwords of Mensa members were not hashed, potentially allowing hackers to unscramble them.

That apparent security blunder became all the more serious this week when the society admitted it had been the victim of a cyberattack.

Several stashes of Mensa personal data have been posted onto the Pastebin website.

Hopkinson told the Financial Times that the Mensa website held lots of sensitive information on its members, including payment details, instant messaging conversations and IQ scores of both current members and failed applicants.

“If a breach is found to have taken place, I have no faith that the [Mensa] board and office will report it adequately… or take sufficient mitigating action to prevent further harm,” Hopkinson wrote in an open letter announcing his resignation.

A spokesperson for Mensa told the Financial Times that member passwords had been encrypted and that the organization was in the process of hashing passwords. The spokesperson denied that passwords were ever sent out in plain text and that it had handed details of the cyberattack to Britain’s Information Commissioner “with a view to pursuing a criminal investigation”.

Mensa is a non-profit organization, open only to those people who score in the 98th percentile or higher in a standardized IQ test.

So what’s the upshot for you? Even smart people make dumb mistakes. If you get notified of a breech for any online service, remember to update your password to a complex one ASAP and if there is 2FA available, enable it and use it!

Global:Google to offer heart and respiratory rate measurements using just your smartphone’s camera

Google is introducing features that will allow users to take vital health measurements using just the camera they already have on their smartphone, expanding to a whole new group of people health and fitness features typically only available on dedicated wearables.

Beginning next month, and available initially on Google Pixel phones exclusively (but with plans to offer it for other Android devices in the future), users will be able to measure both their heart rate and their respiratory rate using just their device’s camera.

Google’s hardware and software teams have managed to develop computer vision-based methods for taking these measurements using only smartphone cameras, which it says can produce results that are comparable to clinical-grade measurement hardware. Google is going to make these measurement features available to users within the next month, it says, via the Google Fit app, and initially on currently available Pixel devices made by the company itself.

So what’s the upshot for you? The FitBit purchase already has some alarmed that Google is collecting all our data and now PHI (personal health information). We like the idea of keeping everything separate and for that reason might endorse Garmin as a fitness tracker. However, if you don’t mind them collecting more of your intimate data, Google is offering you additional insight into your health.

Global: Don’t put your iPhone 12 near your heart this Valentine’s Day.

The new magnetic circular array introduced in iPhone 12 smartphones last year to support the MagSafe charging technology can disrupt implantable cardioverter-defibrillator (ICD) medical devices.
The warning comes from three cardiac electrophysiology doctors from the Henry Ford Heart and Vascular Institute at the Henry Ford Hospital in Detroit, Michigan.

Apple says “if users suspect that their iPhone or any MagSafe accessories are interfering with their medical devices, they should stop using their iPhone or MagSafe accessories right away.”"

So what’s the upshot for you? Not offering an opinion, but perhaps also not the biggest fans of MagSafe, as some say the units cost too much, don’t come with the wall charger, don’t work with non-MagSafe iPhone cases and now… the magnet in the phone can blatt your pacemaker!!!

Thankfully that last item probably isn’t an issue for most of us, but really? Where else do you carry your phone if not closest to your heart!

US: New Twist for a Bug Bounty program: Armor and a Tat!

To test non-monetary incentives: in addition to the 1 million ARMOR or 25 Ether (whichever is more valuable) reward for finding a bug that’ll result in over $1M lost, I’ll get a tattoo of your name/handle. And you can hold me to that.

Robert M.C. Forster Co-founder & CTO, Founder & CEO,

but the winner… Alexander Schlindwein …said the tattoo doesn’t need to be his name or his handle.

Robert has asked for suggestions…

So what’s the upshot for you? What a superb Valentine’s gift!

This reminds us a little bit of the “free pizza for a year” tattoo offer from a NY pizza parlor… but a beautiful heart with a cupid’s arrow and your initials could make the perfect valentine for your sweetheart on some CEO’s arm!

That’s it for this week DAML’ers!

Have a safe, secure, and happy Valentine’s Day… and see you in se7en!

1 Like